LDAP Kerberos authentification
Hello,
I'm playing with Kerberos authentification on my box and there
are some problems that I need assistance for.
For the first time I saw a lack of documentation on OpenBSD
(Weel, may be it's time to contribute :-)) regarding authentification.
The FAQ doesn't help much on Kerberos. It just says to read
# info heimdal. Well, I did it and I was a little disapointed. The
info is great to setup a Kerberos server but being new to Kerberos, I'd
have liked infos on setting up a client.
After some hours googling/learning, I finally managed to get the
Kerberos Server running and configured OpenBSD Client as follow :
# cat /etc/kerberosV/krb5.conf
[libdefaults]
default_realm = CLAER.HAMMOCK.FR
[realms]
CLAER.HAMMOCK.FR = {
kdc = diogene.claer.hammock.fr
admin_server = diogene.claer.hammock.fr
master_kdc = diogene.claer.hammock.fr
default_domain = claer.hammock.fr
}
[domain_realm]
.claer.hammock.fr = CLAER.HAMMOCK.FR
claer.hammock.fr = CLAER.HAMMOCK.FR
# ls -l /etc/kerberosV/krb5.keytab
-rw--- 1 root wheel 358 May 15 15:45 /etc/kerberosV/krb5.keytab
From there, I can obtain a kerberos ticket on the system :
# kinit claer
cl...@claer.hammock.fr's Password:
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: cl...@claer.hammock.fr
Issued Expires Principal
May 19 10:06:28 May 19 20:05:51 krbtgt/claer.hammock...@claer.hammock.fr
Strange thing is I saw this in the server logfile :
May 19 10:06:34 diogene krb5kdc[18818](info): TGS_REQ (8 etypes {18 17 16 5 23
3 2 1}) 172.16.1.1: UNKNOWN_SERVER: authtime 0, cl...@claer.hammock.fr for
krbtgt/ualberta...@claer.hammock.fr, Server not found in Kerberos database
May 19 10:06:37 diogene krb5kdc[18818](info): TGS_REQ (8 etypes {18 17 16 5 23
3 2 1}) 172.16.1.1: UNKNOWN_SERVER: authtime 0, cl...@claer.hammock.fr for
krbtgt/ualberta...@claer.hammock.fr, Server not found in Kerberos database
It seems that the client is trying to get a ticket for the afs client.
AFS is not enabled on my BSD box and I don't need it. The only reference
I found on UALBERTA.CA is /etc/afs/ThisCell. Is there a way to
disable this behavior?
Regards,
Claer
Re: LDAP Kerberos authentification
On Wed, 19 May 2010, Claer wrote:
It seems that the client is trying to get a ticket for the afs client.
AFS is not enabled on my BSD box and I don't need it. The only reference
I found on UALBERTA.CA is /etc/afs/ThisCell. Is there a way to
disable this behavior?
Yes.
[appdefaults]
kinit = {
afslog = no
}
--
Antoine
Re: LDAP Kerberos authentification
On Wed, May 19 2010 at 17:11, Antoine Jacoutot wrote:
On Wed, 19 May 2010, Claer wrote:
It seems that the client is trying to get a ticket for the afs client.
AFS is not enabled on my BSD box and I don't need it. The only reference
I found on UALBERTA.CA is /etc/afs/ThisCell. Is there a way to
disable this behavior?
Yes.
[appdefaults]
kinit = {
afslog = no
}
Perfect :)
Now I can move forward and play with ypldap. Thanks.
Claer
Re: LDAP Kerberos authentification
On Wed, May 19 2010 at 17:11, Antoine Jacoutot wrote:
On Wed, 19 May 2010, Claer wrote:
It seems that the client is trying to get a ticket for the afs client.
AFS is not enabled on my BSD box and I don't need it. The only reference
I found on UALBERTA.CA is /etc/afs/ThisCell. Is there a way to
disable this behavior?
Yes.
[appdefaults]
kinit = {
afslog = no
}
Continuing to play with Kerberos, I'm adding ypldap into play.
This time, I'd like to use ldap to add entries to getent passwd
and Kerberos for authentification (I'd like to avoid the login_ldap
step is possible). As my kerberos setup is now ok, I declared the LDAP
server on /etc/ypldap.conf, started portmap ypldap ypbind, added the
+: entries to passwd and group.
Now, I have a working ypbind system. To confirm this, I renamed my
local account as _claer using vipw and verified the output of
getent passwd :
# getent passwd | grep claer
_claer:$2a$06$SgI[...]:1000:1000:Claer:/home/claer:/bin/ksh
claer:*:1000:1000:Claer:/home/claer:/bin/ksh
Now the next step is to try an authentification with ssh. That's why
/etc/login.conf has been modified regarding auth entry :
auth-defaults:auth=krb5-or-pwd,passwd:
But, when I try to ssh in with -l claer, sshd doesn't seem to find
the claer passwd entry and I have this line on the kerberos server :
May 19 17:18:46 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 23 3
2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for
krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos database
Any hint ?
Regards,
Claer
Re: LDAP Kerberos authentification
On Wed, 19 May 2010, Claer wrote:
_claer:$2a$06$SgI[...]:1000:1000:Claer:/home/claer:/bin/ksh
claer:*:1000:1000:Claer:/home/claer:/bin/ksh
Now the next step is to try an authentification with ssh. That's why
/etc/login.conf has been modified regarding auth entry :
auth-defaults:auth=krb5-or-pwd,passwd:
But, when I try to ssh in with -l claer, sshd doesn't seem to find
the claer passwd entry and I have this line on the kerberos server :
May 19 17:18:46 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 23
3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for
krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos
database
Any hint ?
Did you add your host principal to /etc/kerberosV/krb5.keytab?
--
Antoine
Re: LDAP Kerberos authentification
On Wed, May 19 2010 at 01:18, Antoine Jacoutot wrote:
On Wed, 19 May 2010, Claer wrote:
_claer:$2a$06$SgI[...]:1000:1000:Claer:/home/claer:/bin/ksh
claer:*:1000:1000:Claer:/home/claer:/bin/ksh
Now the next step is to try an authentification with ssh. That's why
/etc/login.conf has been modified regarding auth entry :
auth-defaults:auth=krb5-or-pwd,passwd:
But, when I try to ssh in with -l claer, sshd doesn't seem to find
the claer passwd entry and I have this line on the kerberos server :
May 19 17:18:46 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5
23 3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for
krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos
database
Any hint ?
Did you add your host principal to /etc/kerberosV/krb5.keytab?
Yep. If the claer local account is enabled, it's working fine with
Kerberos auth. I can confirm this by watching log files and I even tried
to alter the hashed passwd with vipw to be sure I was not using the
local password.
ypldap + ypbind are working fine :
# tail -n 2 /etc/passwd
_claer:*:1000:1000:Claer:/home/claer:/bin/ksh
+:*:0:0:::/bin/ksh
# getent passwd | tail -n 4
_claer:$2a$06$SgIzOv47AbodJPX7jzgAoOioV322Dk5Cha9VCyqgU/b6/YUDU4TM6:1000:1000:Claer:/home/claer:/bin/ksh
claer:*:1000:1000:Claer:/home/claer:/bin/ksh
megami:*:1001:1001:Megami:/home/megami:/bin/ksh
nobody:*:65534:65534:nobody:/nonexistent:/bin/ksh
I started a test ssh server on port to check. Here are the
interesting debug logs :
debug1: userauth-request for user claer service ssh-connection method none
debug1: attempt 0 failures 0
debug1: unable to get login class: claer
input_userauth_request: invalid user claer
Failed none for invalid user claer from 172.16.1.100 port 52325 ssh2
debug1: userauth-request for user claer service ssh-connection method publickey
debug1: attempt 1 failures 0
debug1: userauth-request for user claer service ssh-connection method
keyboard-interactive
debug1: attempt 2 failures 1
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=claer devs=
debug1: kbdint_alloc: devices 'bsdauth'
debug1: auth2_challenge_start: trying authentication method 'bsdauth'
debug1: userauth-request for user claer service ssh-connection method password
debug1: attempt 3 failures 2
debug1: temporarily_use_uid: 4294967295/4294967295 (e=0/0)
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 4294967295/4294967295 (e=0/0)
debug1: restore_uid: 0/0
debug1: Kerberos password authentication failed: Client not found in Kerberos
database
debug1: krb5_cleanup_proc called
Failed password for invalid user claer from 172.16.1.100 port 52325 ssh2
The logextact from authlog :
May 19 20:44:24 socrate krb5-or-pwd: verify: Client not found in Kerberos
database
However, on the kerberos server side, no request have been made to the
claer account :
May 19 20:44:56 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 23 3
2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for
krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos database
Thanks for helping me so far!
Claer
Re: LDAP Kerberos authentification
Am 19.05.2010 20:52, schrieb Claer:
However, on the kerberos server side, no request have been made to the
claer account :
May 19 20:44:56 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 23 3
2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for
krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos database
Thanks for helping me so far!
Claer
Hi Claer,
I'm not sure if this may help, but I asked myself if the client/user you
are connecting from is using kerberos.
HTH.
enni | telsh
--
Es ist sinnlos zu sagen: Wir tun unser Bestes.
Es muC dir gelingen, das zu tun, was erforderlich ist.
-- Winston Churchill
Re: LDAP Kerberos authentification
On Wed, May 19 2010 at 14:21, Enrico Scichilone wrote:
Am 19.05.2010 20:52, schrieb Claer:
However, on the kerberos server side, no request have been made to the
claer account :
May 19 20:44:56 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5
23 3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for
krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos
database
Thanks for helping me so far!
Claer
Hi Claer,
I'm not sure if this may help, but I asked myself if the client/user
you are connecting from is using kerberos.
There shouldn't be any difference. In this case, Kerberos is used to
verify the authentication of the user from the ssh server point of view
not to verify if the user has already a krb ticket and login him
automatically.
However I did the test and it didn't change anything (as expected :) )
Claer
